The User account is not logged in Event ID 566 after the user makes changes to a mailbox

Article translations Article translations
Article ID: 967174 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

In Microsoft Exchange Server 2007, you enable "auditing" to audit changes made to Mailbox Security Descriptor. After you do this, Event ID 566 in the Security log for such modifications include only the computer account and excludes the administrator account. When you check the event ID 566 in the Security log on a Domain Controller, you see an event that resembles the following:
Event Type:	Success Audit
Event Source:	Security
Event Category:	Directory Service Access 
Event ID:	566
User:		<domain name>\<machine account of the mailbox server>
Computer:	<DC server name>
Description:
Object Operation:
 	Object Server:	DS
 	Operation Type:	Object Access
 	Object Type:	user
 	Object Name:	<CN of the mailbox>
 	Handle ID:	-
 	Primary User Name:	<DC server name>
 	Primary Domain:	<domain name>
 	Primary Logon ID:	(0x0,0x3E7)
 	Client User Name:	<machine account of the mailbox server>
 	Client Domain:	<domain name>
 	Client Logon ID:	(0x0,0xA63006)
 	Accesses:	Write Property 
			
 	Properties:
	Write Property 
		Exchange Information
			msExchMailboxSecurityDescriptor
	user

 	Additional Info:	
 	Additional Info2:	
 	Access Mask:	0x20

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

CAUSE

In Exchange Server 2007, the Store.exe process executes any changes a user makes to the mailbox permissions. Additionally, the Store.exe process runs under the computer account. Therefore, the computer account and not an administrator account, records the auditing.

RESOLUTION

To resolve this problem, install the following update rollup:
971534 Description of Update Rollup 1 for Exchange Server 2007 Service Pack 2

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
After you apply this update, you must set a registry entry to record the specific administrator account. To do this, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\Diagnostics\9000 Private
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type 9078 Administrative Actions to name this new entry, and then press ENTER.
  5. Right-click 9078 Administrative Actions, and then click Modify.
  6. Under Base, click Decimal.
  7. In the Value data box, type 1, and then click OK.
  8. After you configure this registry entry, restart the computer.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Properties

Article ID: 967174 - Last Review: November 19, 2009 - Revision: 1.0
APPLIES TO
  • Microsoft Exchange Server 2007 Service Pack 2, when used with:
    • Microsoft Exchange Server 2007 Enterprise Edition
    • Microsoft Exchange Server 2007 Standard Edition
Keywords: 
kbsurveynew kbfix kbexpertiseinter kbhotfixrollup kbqfe KB967174

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com